Blog

Restate Cloud: SOC 2, Enterprise SSO, and HIPAA

February 12, 2026

Restate Team

Today we announce several capabilities to address common requests in the security and compliance space from teams adopting Restate Cloud.

SOC 2 Certification

We are excited to share that Restate Cloud has attained SOC 2 Type I compliance. This validates that we've designed and implemented controls across security, availability, and confidentiality that meet AICPA standards.

We've also completed our Type II observation window, with the audit currently in progress. Type II certification, which validates that these controls operate effectively over time and expect the final audited report to be available in coming weeks.

For teams operating in regulated industries or with vendor security requirements, this removes a significant barrier to adoption. Our SOC 2 report as well as other complicance information are available to current and prospective customers in the Restate Trust Center.

Enterprise SSO

Restate Cloud now supports enterprise single sign-on, giving your team secure, centralized authentication that integrates with your existing identity infrastructure. Organization administrators can also set up authentication policies such as multifactor sign-in requirements for enterprise domains, using Passkey or OTP device enrollment.

  • Direct user management - manage users directly in Restate Cloud
  • SCIM – automatic lifecycle management driven by a compatible directory service

Users can continue to sign in directly at cloud.restate.dev; Restate Cloud also supports identity provider-initiated signin so that organizations can add Restate Cloud directly to their application catalog.

Whether you're using Okta, Google Workspace, Azure AD, or another SAML/OIDC-compatible provider, your team can now incorporate Restate Cloud with existing identity workflows.

Restate Cloud SSO

Sign in with SSO.

Role-Based Access Controls

For organizations with multiple teams, we have introduced role-based access controls that let you control access to distinct groupings of Restate Cloud resources within the same organization. You can now:

  • Create multiple accounts within your organization for logical separation of resources (e.g., by team, project, or environment stage)
Restate Cloud RBAC

Switch between accounts in the Restate Cloud UI.

  • Assign full or read-only access to users across the entire organization, or per account
Restate Cloud RBAC

Assign roles to Restate Cloud users.

We will continue to grow the capabilities in this space and welcome your feedback to shape the roadmap.

Client-Side Journal Encryption (Developer Preview)

For workloads with the highest data confidentiality requirements, we are also introducing client-side journal encryption using customer-managed keys. This feature lets you encrypt journal entries before they ever reach Restate, making your application data fully opaque to us.

This feature is currently only available for the Restate TypeScript SDK as a developer preview. We have published an AWS KMS-integrated reference implementation which demonstrates how to integrate key management infrastructure. The reference implementation also includes a decryption service, which allows the Restate UI to decrypt invocation journal and state data for suitably authorzied signed-in users.

HIPAA and Business Associate Agreements

For teams building in healthcare or handling protected health information, we now offer Business Associate Agreements (BAAs) for enterprise tier customers of Restate Cloud. If you're building HIPAA-compliant applications, contact us to get a BAA in place.

These capabilities are available now for Restate Cloud customers (with journal encryption in developer preview). If you're evaluating Restate for a project with compliance requirements, reach out, we're happy to walk through our security posture and share our SOC 2 report.

Questions? Find us on Discord or get in touch.